Email or username:

Password:

Forgot your password?
Top-level
Foone🏳️‍⚧️

but given the state of them when they arrived at ewaste?

no they did not

104 comments
Foone🏳️‍⚧️

when you see a gaylord stacked high with NUCs and half of them still have USB fans attached, you know these were all just yanked off a shelf.
no one wiped these.

King Calyo Delphi

@jaykass @foone lmao yeah it's a common term in warehouse logistics

Signed:
Someone who has delivered car parts for a living and had to unpack gaylords brought in on truck day

Foone🏳️‍⚧️

I have now stuck the hard drive in my imaging box

it turns out it was in service as of June.

and this one has log errors about the sensors in the bathroom and bedroom. this was used. fuck.

Fi, infosec-aspected

@foone

oh that's.......that's -reallllllll- unfortunate.

Fi, infosec-aspected

@foone

is the company still in business because this is a material breach type situation

Foone🏳️‍⚧️

HEY FUN FACT: this was used as part of an Alexa/google home type thing! this is the "cloud" half, as in the part sitting in a warehouse somewhere.
It turns out every time the customer asked for something from the smart assistant, the WAV file was sent to the cloud box

where it is still stored. and I now have eleven thousand wave files

Graham Spookyland🎃/Polynomial

@foone the people behind this need to be barred from operating a business ever again. I know this shit happens all the time with liquidated assets but it's fucking unacceptable.

Rob

@foone JFC this is doubleplusungood

Advanced Persistent Teapot

@foone exhibit #1473 in Why I Will Not Have Smart Home Shit, Ever

Glyph

@foone this has _got_ to be some kind of crime, right? like, not you having the wav files, but the fact that someone gave them to you. a HIPAA violation at the very least

Foone🏳️‍⚧️

@glyph oh, most likely.
but I probably have all this shit because they are gone and bankrupt

Graham Spookyland🎃/Polynomial

@glyph @foone sadly, no. at most it's *maybe* a GDPR violation depending on the content of the WAV files, but likely not, and I'm guessing that's going to be impossible to prosecute anyway because the assets are almost certainly a result of an insolvency liquidation. I see this shit all the damn time and right now there's very little recourse for those affected.

Momo

@gsuberland
If this is from an EU customer, it is a GDPR violation. But as you stated, there is probably no legal entity anymore that could pay the fine. Which means we need an appendix that ensures that the insolvency administrator enforces GDPR in liquidation cases (or would be personally liable if shit like this happens).

And again, this would probably not apply to the US so good look out there...
@glyph @foone

@gsuberland
If this is from an EU customer, it is a GDPR violation. But as you stated, there is probably no legal entity anymore that could pay the fine. Which means we need an appendix that ensures that the insolvency administrator enforces GDPR in liquidation cases (or would be personally liable if shit like this happens).

Foone🏳️‍⚧️

god the logs are full of errors about assorted video streams failing.
so this thing was connecting to something which had cameras. like, I can tell which room of the house failed.

now I don't think there's any video stored on this device, but keep in mind: the fools that made this thing fill up with WAV files? they also designed the video streaming part. Where are those videos stored, and how safe are they?

Foone🏳️‍⚧️

or maybe the fools who dumped all the NUCs from their entire "AI remote healthcare" in the recycling without yanking any drives are just somehow REALLY GOOD at knowing how to secure their s3 buckets.

Foone🏳️‍⚧️

assuming their S3 keys aren't just saved in this harddrive somewhere

Foone🏳️‍⚧️

jesus christ this isn't the only time THIS MONTH I've found an IoT device and checked the filesystem contents and it's got their private git repos on it

Foone🏳️‍⚧️

and now I can email the lead developer.

or just commit to their git repo, I guess.

Foone🏳️‍⚧️ replied to Foone🏳️‍⚧️

okay so the good news is that they don't just have S3 keys laying around in plain text.
the other good news is that they have a secrets manager
the bad news is that they rolled their own secrets manager
the extra bad news is that I have the source for said secrets manager
and the extra extra bad news is that it has to decrypt those keys without external input, meaning I have all the parts here to pull out their s3 keys

Foone🏳️‍⚧️ replied to Foone🏳️‍⚧️

oh hey!

this thing authenticates to some of their servers (which are still up, even if the company might not be (this is unknown at the moment)) over SSH! using keys kept in the same home-rolled vault thing!

so I can SSH into their servers now!

Foone🏳️‍⚧️ replied to Foone🏳️‍⚧️

oh god this thing sends email from gmail

please tell me they didn't embed the google login into this device

Foone🏳️‍⚧️ replied to Foone🏳️‍⚧️

tempted to drive past their HQ with a megaphone "I'VE GOT YOUR MODELS, YOU AI HACKS!"

Foone🏳️‍⚧️ replied to Foone🏳️‍⚧️

wait. did they seriously stuff videos into their redis database?

Foone🏳️‍⚧️ replied to Foone🏳️‍⚧️

they sure did! I have a video of someone picking something up from outside a door.

Elfi, :verifiedtransbian: cute moth replied to Foone🏳️‍⚧️

@foone Better act fast, 'tis the season for Spirit Halloween to start inhabiting old husks

Σ(i³) = (Σi)² replied to Foone🏳️‍⚧️

@foone
I heard somewhere you were low on cash? I wonder how much what you have there might fetch on some shady website...

Wilfried Klaebe replied to Foone🏳️‍⚧️

@foone Can you push to their git server though?

Elfi, :verifiedtransbian: cute moth

@foone If there was a bounty for this kind of shit, you'd never have to work again. my god.

Foone🏳️‍⚧️ replied to Elfi, :verifiedtransbian: cute moth

@elfi yeah. the problem is I'd have to become a security researcher and I'm reasonably sure I'd rather die

Juliet Merida (she/they) 🚝🏳️‍⚧️🏹🎯

@foone@digipres.club Based on what you've described so far I'd be surprised if you *don't* find their keys.

The Turtle

@foone some models of those NUCs run Mac OSX pretty well.

Zen_Fox.tar.gz

@foone this is like a horror story ohno 😭

Lars Marowsky-Brée 😷

@foone Uhm. This sounds like you can finance the rest of your life with a class action law suit.
Or, if that has data from EU/California citizens, have a noticeable impact to their shareholder value.
I think you're set.

Tod Beardsley 🤘

@larsmb @foone while Foone probably doesn’t have standing to be in the class, they can certainly try to charge a consulting fee to a law firm.

Wilfried Klaebe

@foone Someone needs to be sued to hell and back. And then to hell again.

Niko :neofox_flag_nb_256: :neofox_flag_trans_256:

@foone oh great
flashbacks to the time i discovered home assistant kept my precise location history for two weeks
at least that was on my own hardware
this is somewhat more terrifying

The Turtle

@foone "HEY ALEXA!!! BUY MORE SHIT FROM THAT PLACE!!"

"Buying more shit from that place."

Dominic

@foone oh good grief I feel like I'd fuck up that drive immediately to be rid of it, might as well be toxic waste for how much I don't want that

Andrew

@foone why the hell were they using NUCs as servers?

DEDGirl

@foone and people are giving all access for convenience. I have Alexa, & a security camera. My camera constantly wants access to Alexa. Why? Um, no. 🙄 My camera constantly wants me to join some cloud service where all the videos live forever. The SD card’s plenty, thanks. Stop trying to make me go cloud service. I know there are tons of people using the cloud service just to make the prompts go away. 20 years ago we wouldn’t even talk about pot in front of our TVs!

rabbit

@foone If you're in the bay area, it's 50/50 whether they were disposed of improperly or just stolen, tbh.

Go Up